6 files changed, 48 insertions, 2 deletions
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 371100814..2a0a6389c 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -6,5 +6,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
 nonewprivs
+nogroups
+noroot
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
new file mode 100644
index 000000000..fd390f7ed
--- /dev/null
+++ b/etc/keepass2.profile
@@ -0,0 +1,6 @@
+# keepass password manager profile
+#noblacklist ${HOME}/.config/KeePass
+#noblacklist ${HOME}/.keepass
+ 
+include /etc/firejail/keepass.profile
diff --git a/etc/kmail.profile b/etc/kmail.profile
index bc21ba604..410ff36c6 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -16,4 +16,4 @@ seccomp
 tracelog
 private-dev
-private-tmp
+# private-tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index e022866e8..dc23d5840 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -16,7 +16,7 @@ net none
 shell none
 tracelog
-#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
+#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 private-bin mupdf
 private-tmp
diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile
new file mode 100644
index 000000000..9fa8a91d4
--- /dev/null
+++ b/etc/qemu-launcher.profile
@@ -0,0 +1,20 @@
+# qemu-launcher profile
+noblacklist ~/.qemu-launcher
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-tmp
diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile
new file mode 100644
index 000000000..3d4587fb1
--- /dev/null
+++ b/etc/qemu-system-x86_64.profile
@@ -0,0 +1,18 @@
+# qemu profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-tmp

diff --git a/etc/empathy.profile b/etc/empathy.profile index 371100814..2a0a6389c 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile
@@ -6,5 +6,7 @@ include /etc/firejail/disable-devel.inc
6	caps.drop all	6	caps.drop all
7	netfilter	7	netfilter
8	nonewprivs	8	nonewprivs
		9	nogroups
		10	noroot
9	protocol unix,inet,inet6	11	protocol unix,inet,inet6
10	seccomp	12	seccomp


diff --git a/etc/keepass2.profile b/etc/keepass2.profile new file mode 100644 index 000000000..fd390f7ed --- /dev/null +++ b/etc/keepass2.profile
@@ -0,0 +1,6 @@
		1	# keepass password manager profile
		2
		3	#noblacklist ${HOME}/.config/KeePass
		4	#noblacklist ${HOME}/.keepass
		5
		6	include /etc/firejail/keepass.profile


diff --git a/etc/kmail.profile b/etc/kmail.profile index bc21ba604..410ff36c6 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile
@@ -16,4 +16,4 @@ seccomp
16	tracelog	16	tracelog
17		17
18	private-dev	18	private-dev
19	private-tmp	19	# private-tmp


diff --git a/etc/mupdf.profile b/etc/mupdf.profile index e022866e8..dc23d5840 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile
@@ -16,7 +16,7 @@ net none
16	shell none	16	shell none
17	tracelog	17	tracelog
18		18
19	#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev	19	#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
20		20
21	private-bin mupdf	21	private-bin mupdf
22	private-tmp	22	private-tmp


diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile new file mode 100644 index 000000000..9fa8a91d4 --- /dev/null +++ b/etc/qemu-launcher.profile
@@ -0,0 +1,20 @@
		1	# qemu-launcher profile
		2
		3	noblacklist ~/.qemu-launcher
		4
		5	include /etc/firejail/disable-common.inc
		6	include /etc/firejail/disable-programs.inc
		7	include /etc/firejail/disable-passwdmgr.inc
		8
		9	caps.drop all
		10	netfilter
		11	nogroups
		12	nonewprivs
		13	noroot
		14	protocol unix,inet,inet6
		15	seccomp
		16	shell none
		17	tracelog
		18
		19	private-tmp
		20


diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile new file mode 100644 index 000000000..3d4587fb1 --- /dev/null +++ b/etc/qemu-system-x86_64.profile
@@ -0,0 +1,18 @@
		1	# qemu profile
		2
		3	include /etc/firejail/disable-common.inc
		4	include /etc/firejail/disable-programs.inc
		5	include /etc/firejail/disable-passwdmgr.inc
		6
		7	caps.drop all
		8	netfilter
		9	nogroups
		10	nonewprivs
		11	noroot
		12	protocol unix,inet,inet6
		13	seccomp
		14	shell none
		15	tracelog
		16
		17	private-tmp
		18